How to add HTTP security headers (HSTS, CSP and more)
A practical guide to the HTTP security headers every site should send — what each one does, safe values to start with, and how to roll them out without breaking things.
HTTP security headers are instructions your server sends with every response that tell the browser to enforce protections — forcing HTTPS, blocking clickjacking, limiting what scripts can run. They're free defence-in-depth, and most take one line of server or CDN config.
The headers that matter#
| Header | What it does | Safe starting value |
|---|---|---|
| Strict-Transport-Security | Forces HTTPS for future visits | max-age=63072000; includeSubDomains |
| X-Content-Type-Options | Stops MIME-type sniffing | nosniff |
| X-Frame-Options | Blocks clickjacking via iframes | DENY |
| Referrer-Policy | Limits referrer leakage | strict-origin-when-cross-origin |
| Permissions-Policy | Disables unused browser features | camera=(), microphone=(), geolocation=() |
| Content-Security-Policy | Controls what can load/run | see the CSP guide |
HSTS: force HTTPS#
HSTS tells browsers to only ever use HTTPS for your domain, defeating downgrade attacks. Start with a long max-age and includeSubDomains:
Strict-Transport-Security: max-age=63072000; includeSubDomainspreload (and submit to hstspreload.org) once every subdomain reliably serves HTTPS — preload is hard to undo and applies to all subdomains.Roll out safely#
- Add the unambiguous headers first (nosniff, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS) — they rarely break anything.
- Add CSP last and in
Content-Security-Policy-Report-Onlymode first, so violations are reported but nothing is blocked. - Watch the reports, fix legitimate blocks, then switch CSP to enforcing.
Set them at your CDN/edge or server. Generate a ready-to-paste set (raw, nginx or Apache) with the Security Headers Generator, then confirm they're live with the HTTP Header Checker.
Frequently asked questions
▸ ▾ Which security header should I add first?
Start with the ones that never break anything: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, a Referrer-Policy, a Permissions-Policy, and HSTS (without preload). Add Content-Security-Policy last, in report-only mode.
▸ ▾ Where do I set HTTP headers?
At your CDN/edge (Cloudflare, Fastly, Vercel), your web server (nginx, Apache), or in your app framework. Setting them at the edge applies them everywhere at once.
▸ ▾ Do security headers slow down my site?
No — they're a few extra bytes per response and enforced by the browser. The only one that needs care is CSP, because a wrong policy can block your own resources; roll it out in report-only mode first.
Do it with a free tool
Related guides
Published 2026-07-09 · Updated 2026-07-09 · By Crawlsonar.